Reasons for IP spoofing: the good, the bad and the ugly

Sep 20, 2016

Like impersonating your grandma on the phone, IP spoofing is one of those things where it all comes down to intention. Generally speaking, that type of action doesn’t sound like a good thing to be doing, but what if it’s the only way to order grandma the cable channels she wants? IP spoofing is a similarly nuanced topic, with the reasons for it ranging from fine and dandy to completely atrocious.

The ins and outs of IP spoofing

According to DDoS mitigation service provider Imperva Incapsula’s spoofing definition, IP spoofing is the process of masking the source of internet traffic by making it look as though that traffic is coming from another device or user on the internet.

When data packets are sent over the internet they get to where they’re going through the use of headers that contain information for routing and transmission continuity. IP spoofing is accomplished by falsifying one of these headers, the source IP address header, usually so it reads as a random string of numbers instead of the actual source IP address.

Good reasons for an online disguise

Online privacy has been a major topic these past few years, especially with data breaches making the news seemingly on the daily, and one of the major reasons someone would opt to hide their own IP is to remain anonymous or protect their privacy (including sensitive data) online.

If you can’t imagine any other reason for switching your IP, it’s probably because you live in a country where – barring a few very serious laws – you’re allowed to do what you want on the internet and visit whatever sites you like. This is not the case for people living in countries with authoritarian regimes where there is bigtime online censorship and surveillance. A person in China, for example, may want to use a European or US IP address in order to access news sites or post their own blogs.

Somewhat iffy reasons for an online disguise

The grey area reasons for IP spoofing typically involve circumventing a website’s rules. This can include accessing content that would be blocked from you based on your geolocation, for example using a US IP address to access that much better Netflix selection when you live in Canada, or bypassing bans you’ve been given on websites. IP spoofing can also be used to register more than one account on a website that only allows users to register once, such as for contests.

All in all the IP spoofing shenanigans that fall under the somewhat iffy heading tend to be rule breakers, but they’re nowhere near as serious as the next category.

The no good very bad reasons for an online disguise

IP spoofing is a major strategy when it comes to cyberattacks. IP spoofing can be used in man in the middle attacks to hijack an authorized session between a user and a website and intercept information. It can also be used to suss out the state of a firewall, or scan a host to gather information about applications, operating systems and open ports, checking for vulnerabilities that can be exploited.

When an attacker is thinking larger-scale, IP spoofing is frequently used in distributed denial of service (DDoS) attacks. It is used to hide the location of a botnet, rendering the botnet untraceable as well as helping it bypass IP blacklisting security measures that may have otherwise caught it. IP spoofing is also used in reflected network layer DDoS attacks like DNS amplification, smurf attack and NTP amplification when an attacker masquerades as the attack’s target, sending out requests and setting up the target to be walloped by large responses.

Protecting against the bad IP spoofing

When security solutions – including DDoS mitigation solutions – can’t rely on blacklisting for keeping malicious traffic away from a website, it has to dig deeper.

Deep packet inspection is a security process that inspects all of a data packet’s headers in order to identify malicious packets and build a profile that allows the solution to filter out those malicious packets, never allowing them to get to the target website or network.

When choosing a distributed denial of service mitigation solution that uses deep packet analysis, be sure to look for one that also has the resources to keep the network flowing smoothly while an attack is attempted and the resource-intensive deep packet analysis is being performed. Having robust scrubbing servers or purpose-built mitigation hardware are good indications that a security solution can handle everything an attacker is going to throw at it.